[ISN] Linux Advisory Watch: May 2nd, 2008

From: InfoSec News (alerts@private)
Date: Mon May 05 2008 - 00:50:05 PDT


+------------------------------------------------------------------------+
| LinuxSecurity.com                                    Weekly Newsletter |
| May 2nd, 2008                                      Volume 9, Number 18 |
|                                                                        |
| Editorial Team:                Dave Wreski <dwreski@private> |
|                         Benjamin D. Thomas <bthomas@private> |
+------------------------------------------------------------------------+

Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.

This week security advisories were issued for JRockit, KDE, SILC, dbmail,
gstreamer-plugins-good, iceape, java-1.4.2-bea, java-1.5.0-bea,
java-1.6.0-bea, kronolith2, ldm, libpng, perl, phpgedview, phpmyadmin,
speex, thunderbird, tomcat, vorbis-tools, wireshark, wml, wordpress, and
xulrunner.  The distributors included Debian, Fedora, Gentoo, Mandriva,
Red Hat, and Slackware.

---

>> Linux+DVD Magazine <<

Our magazine is read by professional network and database administrators,
system programmers, webmasters and all those who believe in the power of
Open Source software. The majority of our readers is between 15 and 40
years old. They are interested in current news from the Linux world,
upcoming projects etc.

In each issue you can find information concerning typical use of Linux:
safety, databases, multimedia, scientific tools, entertainment,
programming, e-mail, news and desktop environments.

http://www.linuxsecurity.com/ads/adclick.php?bannerid=3D26

---

Review: The Book of Wireless
----------------------------
=93The Book of Wireless=94 by John Ross is an answer to the problem of
learning about wireless networking. With the wide spread use of Wireless
networks today anyone with a computer should at least know the basics of
wireless. Also, with the wireless networking, users need to know how to
protect themselves from wireless networking attacks.

http://www.linuxsecurity.com/content/view/136167

-->  Take advantage of the LinuxSecurity.com Quick Reference Card!  <--
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf             <--

--------------------------------------------------------------------------

* EnGarde Secure Community 3.0.19 Now Available! (Apr 15)
  -------------------------------------------------------
  Guardian Digital is happy to announce the release of EnGarde Secure
  Community 3.0.19 (Version 3.0, Release 19).  This release includes many
  updated packages and bug fixes and some feature enhancements to the
  EnGarde Secure Linux Installer and the SELinux policy.

  http://www.linuxsecurity.com/content/view/136174

--------------------------------------------------------------------------

* Debian: New asterisk packages fix denial of service (Apr 30)
  ------------------------------------------------------------
  Joel R. Voss discovered that the IAX2 module of Asterisk, a free
  software PBX and telephony toolkit performs insufficient validation of
  IAX2 protocol messages, which may lead to denial of service.

  http://www.linuxsecurity.com/content/view/136679

* Debian: New iceape packages fix arbitrary code execution (Apr 28)
  -----------------------------------------------------------------
  It was discovered that crashes in the Javascript engine of Iceape, an
  unbranded version of the Seamonkey internet suite could potentially
  lead to the execution of arbitrary code.

  http://www.linuxsecurity.com/content/view/136539

* Debian: New ldm packages fix information disclosure (Apr 28)
  ------------------------------------------------------------
  Christian Herzog discovered that within the Linux Terminal Server
  Project, it was possible to connect to X on any LTSP client from any
  host on the network, making client windows and keystrokes visible to
  that host.

  http://www.linuxsecurity.com/content/view/136538

* Debian: New kronolith2 packages fix cross site scripting (Apr 28)
  -----------------------------------------------------------------
  "The-0utl4w" discovered that the Kronolith, calendar component for the
  Horde Framework, didn't properly sanitise URL input, leading to a
  cross-site scripting vulnerability in the add event screen.

  http://www.linuxsecurity.com/content/view/136535

* Debian: New perl packages fix denial of service (Apr 27)
  --------------------------------------------------------
  It has been discovered that the Perl interpreter may encounter a buffer
  overflow condition when compiling certain regular expressions
  containing Unicode characters.  This also happens if the offending
  characters are contained in a variable reference protected by the
  \Q...\E quoting construct.  When encountering this condition, the Perl
  interpreter typically crashes, but arbitrary code execution cannot be
  ruled out.

  http://www.linuxsecurity.com/content/view/136530

* Debian: New phpgedview packages fix cross site scripting (Apr 27)
  -----------------------------------------------------------------
  It was discovered that phpGedView, an application to provide online
  access to genealogical data, performed insufficient input sanitising on
  some parameters, making it vulnerable to cross site scripting.

  http://www.linuxsecurity.com/content/view/136529

* Debian: New wml packages fix denial of service (Apr 27)
  -------------------------------------------------------
  Frank Lichtenheld and Nico Golde discovered that WML, an off-line
  HTML generation toolkit, creates insecure temporary files in the
  eperl and ipp backends and in the wmg.cgi script, which could lead
  to local denial of service by overwriting files.

  http://www.linuxsecurity.com/content/view/136528

* Debian: New xulrunner packages fix arbitrary code execution (Apr 24)
  --------------------------------------------------------------------
  It was discovered that crashes in the Javascript engine of xulrunner,
  the Gecko engine library, could potentially lead to the execution of
  arbitrary code.

  http://www.linuxsecurity.com/content/view/136520

* Debian: New iceape packages fix regression (Apr 24)
  ---------------------------------------------------
  Several remote vulnerabilities have been discovered in the Iceape
  internet suite, an unbranded version of the Seamonkey Internet Suite.
  The Common Vulnerabilities and Exposures project identifies the
  following problems:

  http://www.linuxsecurity.com/content/view/136519

* Debian: New phpmyadmin packages fix several vulnerabilities (Apr 24)
  --------------------------------------------------------------------
  Several remote vulnerabilities have been discovered in phpMyAdmin, an
  application to administrate MySQL over the WWW. The Common
  Vulnerabilities and Exposures project identifies the following
  problems:

  http://www.linuxsecurity.com/content/view/136518

* Debian: New perl packages fix denial of service (Apr 24)
  --------------------------------------------------------
  It has been discovered that the Perl interpreter may encounter a buffer
  overflow condition when compiling certain regular expressions
  containing Unicode characters.  This also happens if the offending
  characters are contained in a variable reference protected by the
  \Q...\E quoting construct.  When encountering this condition, the Perl
  interpreter typically crashes, but arbitrary code execution cannot be
  ruled out.

  http://www.linuxsecurity.com/content/view/136517

--------------------------------------------------------------------------

* Fedora 8 Update: dbmail-2.2.9-1.fc8 (Apr 29)
  --------------------------------------------
  Fix possible authentication bypass in authldap authentication module
  when dbmail is used with LDAP servers allowing anonymous logins -
  CVE-2007-6714 (#443019).

  http://www.linuxsecurity.com/content/view/136590

* Fedora 7 Update: wordpress-2.5.1-1.fc7 (Apr 29)
  -----------------------------------------------
  This updates contains security fixes:
  http://wordpress.org/development/2008/04/wordpress-251/

  http://www.linuxsecurity.com/content/view/136565

--------------------------------------------------------------------------

* Gentoo: KDE start_kdeinit Multiple vulnerabilities (Apr 29)
  -----------------------------------------------------------
  =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D Multiple vulnerabilities in star=
t_kdeinit
  could possibly allow a local attacker to execute arbitrary code with
  root privileges.

  http://www.linuxsecurity.com/content/view/136541

* Gentoo: JRockit Multiple vulnerabilities (Apr 24)
  -------------------------------------------------
  Multiple vulnerabilities have been identified in BEA JRockit.

  http://www.linuxsecurity.com/content/view/136516

* Gentoo: SILC Multiple vulnerabilities (Apr 24)
  ----------------------------------------------
  Multiple vulnerabilities were found in SILC Client, Server, and
  Toolkit, allowing for Denial of Service and execution of arbitrary
  code.

  http://www.linuxsecurity.com/content/view/136515

--------------------------------------------------------------------------

* Mandriva: Updated speex packages fix vulnerabilities (Apr 29)
  -------------------------------------------------------------
  A vulnerability in the Speex library was found where it did not
  properly validate input values read from the Speex files headers. An
  attacker could create a malicious Speex file that would crash an
  application or potentially allow the execution of arbitrary code with
  the privileges of the application calling the Speex library
  (CVE-2008-1686). The updated packages have been patched to correct this
  issue.

  http://www.linuxsecurity.com/content/view/136670

* Mandriva: Updated gstreamer-plugins-good packages fix (Apr 29)
  --------------------------------------------------------------
  A vulnerability in the Speex library was found where it did not
  properly validate input values read from the Speex files headers. An
  attacker could create a malicious Speex file that would crash an
  application or potentially allow the execution of arbitrary code with
  the privileges of the application calling the Speex library
  (CVE-2008-1686). The speex plugin in the gstreamer-plugins-good package
  is similarly affected by this issue. The updated packages have been
  patched to correct this issue.

  http://www.linuxsecurity.com/content/view/136669

* Mandriva: Updated vorbis-tools packages fix vulnerabilities (Apr 29)
  --------------------------------------------------------------------
  A vulnerability in the Speex library was found where it did not
  properly validate input values read from the Speex files headers. An
  attacker could create a malicious Speex file that would crash an
  application or potentially allow the execution of arbitrary code with
  the privileges of the application calling the Speex library
  (CVE-2008-1686). The ogg123 application in vorbis-tools is similarly
  affected by this issue. The updated packages have been patched to
  correct this issue.

  http://www.linuxsecurity.com/content/view/136668

* Mandriva: Updated wireshark packages fix denial of service (Apr 24)
  -------------------------------------------------------------------
  A few vulnerabilities were found in Wireshark, that could cause it to
  crash or hang under certain conditions. This update provides Wireshark
  1.0.0, which is not vulnerable to the issues.

  http://www.linuxsecurity.com/content/view/136521

--------------------------------------------------------------------------

* RedHat: Moderate: thunderbird security update (Apr 30)
  ------------------------------------------------------
  Updated thunderbird packages that fix a security issue are now
  available for Red Hat Enterprise Linux 4 and 5. This update has been
  rated as having moderate security impact by the Red Hat Security
  Response Team.

  http://www.linuxsecurity.com/content/view/136678

* RedHat: Moderate: tomcat security update (Apr 28)
  -------------------------------------------------
  Updated tomcat packages that fix multiple security issues are now
  available for Red Hat Developer Suite 3. This update has been rated as
  having moderate security impact by the Red Hat Security Response Team.

  http://www.linuxsecurity.com/content/view/136531

* RedHat: Moderate: java-1.4.2-bea security update (Apr 28)
  ---------------------------------------------------------
  Updated java-1.4.2-bea packages that fix a security issue are now
  available for Red Hat Enterprise Linux 3 Extras, Red Hat Enterprise
  Linux 4 Extras, and Red Hat Enterprise Linux 5 Supplementary. This
  update has been rated as having moderate security impact by the Red Hat
  Security Response Team.

  http://www.linuxsecurity.com/content/view/136532

* RedHat: Moderate: java-1.5.0-bea security update (Apr 28)
  ---------------------------------------------------------
  Updated java-1.5.0-bea packages that correct several security issues
  are now available for Red Hat Enterprise Linux 4 Extras and 5
  Supplementary. This update has been rated as having moderate security
  impact by the Red Hat Security Response Team.

  http://www.linuxsecurity.com/content/view/136533

* RedHat: Moderate: java-1.6.0-bea security update (Apr 28)
  ---------------------------------------------------------
  Updated java-1.6.0-bea packages that correct several security issues
  are now available for Red Hat Enterprise Linux 5 Supplementary.  This
  update has been rated as having moderate security impact by the Red Hat
  Security Response Team.

  http://www.linuxsecurity.com/content/view/136534

--------------------------------------------------------------------------

* Slackware:   libpng (Apr 29)
  ----------------------------
  New libpng packages are available for Slackware 8.1, 9.0, 9.1, 10.0,
  10.1, 10.2, 11.0, 12.0, and -current to fix a security issue. More
  details about this issue may be found in the Common Vulnerabilities and
  Exposures (CVE) database:
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2008-1382 Additional
  information can be found in the libpng source, or in this file on the
  libpng FTP site:
  ftp://ftp.simplesystems.org/pub/libpng/png/src/libpng-1.2.27-README.txt

  http://www.linuxsecurity.com/content/view/136540

------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email newsletter-request@private
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------


_______________________________________________      
Attend Black Hat USA, August 2-7 in Las Vegas, 
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings 
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.  
Visit product displays by 30 top sponsors in 
a relaxed setting. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Mon May 05 2008 - 01:06:55 PDT